[Bug 701] With 'PermitRootPassword without-password' set, root w/pass can still log in with a using 'keyboard-int/pam'
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Mon Sep 22 23:06:27 EST 2003
http://bugzilla.mindrot.org/show_bug.cgi?id=701
Summary: With 'PermitRootPassword without-password' set, root
w/pass can still log in with a using 'keyboard-int/pam'
Product: Portable OpenSSH
Version: 3.7.1p1
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: sshd
AssignedTo: openssh-bugs at mindrot.org
ReportedBy: jfh at cise.ufl.edu
When the directive PermitRootLogin is specified as 'without-password', root
can still log in with a password using the 'keyboard-interactive/pam' method
and possibly others.
The fix is to permit only certain methods to allow root logins, and deny
the rest. The patch I will be providing currently only allows root to login with
the 'publickey' method. Others can be added as necessary, but as methods are
added in the future they will default to not allowing root to login when
PermitRootLogin is set to 'without-password' unless specified in this routine.
(This is different from the patch I sent to the list which allowed root to
login with all methods except those explicitly denied).
This may warrant a security announcement as there may be sites with
PermitRootLogin set to 'without-password' who are using PAM for logins
and who are unaware that root can still log in with a password.
Also, the following code in auth-password.c
#ifndef HAVE_CYGWIN
if (pw && pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
ok = 0;
#endif
seems to prevent the auth.c:auth_root_allowed() routine from ever being called,
meaning that the following log line in auth.c doesn't get called:
logit("ROOT LOGIN REFUSED FROM %.200s", get_remote_ipaddr());
When the code in auth-passwd.c is commented out, auth.c:auth_root_allowed()
gets run properly.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the openssh-bugs
mailing list